Owning Virtual Worlds For Fun and Profit

Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"

Re:

[shadowfaxcrx]

funny, but unlike a normal MMO, Second Life's virtual money is purchased with real money by design. And there have already been property-rights lawsuits over virtual land and items within second life.

what about the IRS and profit? IP rights are one t

[Joe The Dragon]

what about the IRS and profit? IP rights are one thing but you still own the tax on them.

Re:

[blair1q]

They don't care what you bought and sold, they want to know you did it and how much you made from it.

Then they want you to add that to your AGI and pay tax on it.

If you buy a virtual item for real money, then sell it for more real money, you are legally required to report the difference as income to the IRS.

Bartering virtual items (gold, swords, etc.) for each other is no different. You take the value you got for it, subtract the value you originally paid for it, and that's your income from the trade, whic

Re:

[shadowfaxcrx]

to expand on what I said above, I don't think that's going to happen. What is the point of going after taxes on purchases which most likely average a couple bucks or less? The government would spend much more tracking and prosecuting people "evading" taxes than they would take in.

Re:

[g0bshiTe]

Just 2 short years ago, I knew a several players that were generating some decent income from a game. 1 guy was pulling in $1000 USD per month. 2 women I knew built hair, between them they were pulling in nearly $4000 USD a month, they ended up pulling in enough per month to lease their own entire sim.

Re:

[shadowfaxcrx]

Just two short years ago, "the fundamentals of the economy" were "strong," the housing market was on the rise and, according to bankers, would never stop rising, and people actually had money to spend (even if it was borrowed from Visa). I'd be surprise if the 2 women you're talking about are still selling $4,000 worth of hair drawings per month.

Re:

[shadowfaxcrx]

As far as I know (disclaimer: I am not on second life) the tax is rolled into the currency exchange.

If you then buy stuff in game with it, you've already paid sales tax on it by buying the virtual currency, just as you don't have to pay some sort of value-acquisition tax when you get a new sword in WoW because that's part of the game that you paid (and were taxed) for with the monthly subscription fee.

My guess is that the few people making a profit off of selling things in second life (and I doubt there are

Re:

[shadowfaxcrx]

That was a typo - I meant $1,000 lindens.

Regarding what you make, that's great, but if the exchange rate is still roughly 4 bucks to $1,000 lindens, then you're making 8-12 bucks an hour. Decent for playing a video game, yes, but hardly a living wage, especially since I doubt the virtual clubs provide employee health insurance ;)

At any rate, $360USD a quarter is nice for an individual who wants to buy a toy at Newegg, but from the government's perspective, they'd probably spend that just in employee wages i

So...

[Jorl17]

So...we were just told that with every new application comes a new series of security flaws?

That's what keeps the industry running!

Re:

[TarMil]

So...we were just told that with every new application comes a new series of security flaws? That's what keeps the industry running!

Yup, and that's what keeps /. talking.

Re:

[g4b]

and of course flaming.

Re:So...

[Securityemo]

Shhh! Don't tell anyone!

Re:

[Ihmhi]

Aw crap guys, you got the Security Emo all depressed. Now's he gonna try to cut his wrists with a rusty Zip Disk.

Bad Internet! Bad!

Re:So...

[Rei]

I once coded for a free MMO and discovered a vulnerability in how they handled web autolinking -- you know, when you say something and it turns the text into a clickable link that will open in your web browser. At least for the unix client, they were handling it with popen (I forget how they did it for windows). Just the straight, raw, unmodified string. Talk about a huge freaking command injection target. :P But the people who ran the game were so hesitant to allow any security fixes out of fear that they might break something (yeah, I know... it drove me crazy). They just wanted me to keep coding the special effects system and not say a word of the flaw. It took me writing an exploit for it that would remove all of the files in the user's home directory (or the whole system if they ran the game as root) before they reluctantly agreed to let me patch it. And the exploit was so simple -- all you had to do was to say a particular malformed URL, it'd appear as an innocent link, and anyone who clicked it would be wiped.

They *wouldn't* let me patch lesser security issues, such as those that would actually verify that data being sent back and forth was from who it said it was, to avoid a man-in-the-middle attack. They were purely reliant on the TCP stream; that was their only "security". And they did nothing to maintain a secure channel to prevent sniffing.

Be careful with what you run on your system. :P

Much more innocently, the first thing I ever did along these lines was back in the mid/late '90s and had to do with the MUD client zMud. It had an obscure feature that would let muds embed sound effects; if the mud output a particular string, it'd interpret part of it as a path to a sound file. So I had fun SHOUTing those commands with the path to windows system sounds included and making everyone's computer who used zMud start making noise ;) That was, until I got scolded by a wizard...

Re:

[Sockatume]

I love technology. You made people's computers burst into noise thousands of miles away, and were repremanded by a sorceror. What a great time to be alive.

Re:

[Vegar]

I once coded for a free MMO

This wouldn't happen to be the MMO wherein there is a lot of Entropy, if you know what I mean?

Re:

[Rei]

Bingo. ;)

P.S. -- Some of the best special effects I coded were never used. :P But they're still sitting around in the code base, supported by the client -- they just never got added to any maps. For example, blowing 3d leaves that accumulate around objects, then swirl away.

It's a content browser.

[Securityemo]

A program that interacts with a virtual world in this manner is no different from a browser or other client. And clients have historically been a huge source of attack vectors. Now, what would be useful and unique - stealing the user's stuff by infecting the client or MITMing the connection at the client machine (between the client software and the network card.) The admins could easily pick up on this and trace the trail the simoleons/swords/whatever takes - but by then, they could already have been sold for real money to some poor guy who though he got a great deal. Especially in Second Life, where it seems like transactions like that can take place very rapidly.

Re:

[Securityemo]

I'm an idiot who does't read articles - he did construct shellcode to puppeteer the client's avatar from inside the client program. And it's goddamn awesome.

Re:

[quanticle]

He doesn't really explain, but he says that he used the shell access that the QuickTime exploit gave him to inject code into the main event loop of the Second Life client. I too would be really interested in knowing how he managed to patch the binary on the fly.

Re:

[Securityemo]

You "just" intercept function calls using DLL injection; it's a very useful and basic technique. Another thing you can do with that is process migration from the shellcode, allowing you to hold a system until it's rebooted without creating a separate process, and without touching disk. Take a look at the meterpreter payload from the metasploit project if you want to see a nice example.

Re:

[makomk]

Now, what would be useful and unique - stealing the user's stuff by infecting the client or MITMing the connection at the client machine (between the client software and the network card.)

Was doable once upon a time, if you had the ability to fake source IP addresses on packets and a bit of patience (or alternatively knew a clever trick to make the server treat you as a trusted part of the Second Life grid). Both issues have now been fixed, but there may be others. Didn't even need to compromise the client.

Malicious file embedded inside a virtual world?

[clone53421]

SecondLife didn’t balk when they embedded a malformed QuickTime media file on their pink cube?

Even 4chan scans .jpeg files for embedded RAR archives... how hard is it to figure out that a QuickTime file’s structure is invalid?

Re:Malicious file embedded inside a virtual world?

[Jarik C-Bol]

its second life, do you really expect anything positive from it? its the mos eisley spaceport of gaming.

Re:

[clone53421]

Yeah. I almost self-replied to that effect, but I figured somebody else would. Thanks...

Re:

[Arancaytar]

A wretched hive of scum and villainy!

Re:

[NekoHunter]

Wait... did you just reply to a post about 4chan by saying that something *else* is a hive of scum and villainy?

Re:

[Anonymous Coward]

Keep in mind that Obi-Wan said "you will never find a more wretched hive of scum an villany." That implies that there is more than one such hive.

The GP called Second Life the Mos Eisley of Gaming. You will never find a game world that is a more wretched hive yada yada. That doesn't preclude 4chan being the Mos Eisley of the Whole Damned Internet.

Re:

[clone53421]

Yes, but to put the credit where the credit belongs, I directly implied it before he explicitly stated it.

Re:

[Securityemo]

Because that's not how it works. Why would you verify an entire file structure instead of just checking that the header looks right? In some cases, this might not be enough as the vulnerable code might be parsing a very odd condition of the file format's contents that didn't show up in testing - in that case, the file will look completely valid, or at least can be made to using poly/metamorphic shellcode that's been split up to cram it inside structures that can fit it. But we're talking a few hundred bytes

Re:

[clone53421]

Why would you verify an entire file structure instead of just checking that the header looks right?

Transcoding perhaps? Every video site I’ve ever uploaded to transcoded the video...

Re:

[Securityemo]

Yeah, but in such a case the discussion would be moot; it would probably be extremely unlikely to be able to create a file that, when transcoded, turns into a file that triggers the exploitable condition.

Re:

[MichaelSmith]

Even 4chan scans .jpeg files for embedded RAR archives... how hard is it to figure out that a QuickTime file’s structure is invalid?

Well fine, but that is a specific check for a known attack. How to you scan for all the unknown attacks?

Because that's not how it works.

[sstamps]

It is just a URL that you enter into a field in the in-world parcel data. The simulator hands it to the viewer (client/browser) and tells it to play that and put it onto a texture that is drawn on a 3D surface. The viewer hands the URL to Quickslime, which then plays it. SL's backend never sees the video file/data, as it is directly downloaded from the target host specified in the URL.

I supposed you could argue why don't they run some kind of scanner on the URL before allowing it to be posted. Of course, that is pointless for any number of reasons, including:

1) There is no scanner to check all possible video formats that Quickslime plays, nor one which is foolproof in terms of detecting vulnerabilities.
2) Since the file/data is not hosted by Linden Lab, a single scan would be useless, as an attacker could put up a valid file, run the scan, then replace the file with a malicious one anytime afterwards.

Re:

[quanticle]

As long as the data is being transferred from one client to another without any intermediation on the part of Linden Labs, vulnerabilities like this will continue to exist. The solution is to have all data exchange pass through Linden Labs' servers. Of course, whether this is feasible in terms of bandwidth is an entirely different matter.

Re:

[sstamps]

It isn't feasible, and it isn't the direction or intention of Linden Lab to host such content going forward.

For many years now, they have been approaching their viewer design as a "browser", potentially adding the ability to pull assets (textures, sounds, animations, etc) via http from any source. That's sort of what their newest feature "html-on-a-prim" or "media-on-a-prim" is all about; the beginning of a move towards that. It is a good idea, as it allows for the same decentralization of asset services wh

Heh...

[Anonymous Coward]

You're thinking too small and short term...

The skys the limit once you gain a foothold on the users machine.

You can do ALOT if you don't do anything too noticable or damaging or too much at once.

And many people play games from their work machines. Or from the inside of their 'secure network'.

Can we shut up about SL please?

[Sycraft-fu]

Seriously, the media seems to have a massive hard on for Second Life because they think it is the way the Internet ought to go. In reality Second Life is a pretty sub standard MMO with very few players. Why the hell do the fluff stories about it make Slashdot front page news?

Goes double since it sounds like this problem is fairly unique to SL. If you start seeing this in WoW and Aeon and EVE and so on then that's a story. However this is just a case of a poor excuse for an MMO having poor security. This would be the same as posting "Hey, Cadence SBP 16.3 have a security vulnerability and you need to upgrade to 16.3.014!" Nobody gives a shit, at least not enough people for it to be worth front page Slashdot. I understand if there's a security issue in a major OS, or an app that is widely used but in SL? Who cares? Not enough people to make it /. worthy I'd think.

Re:

[BuckaBooBob]

Not only that the exploit is 2 years old.. There is no mention of anything thats recent in the article.. Quite the pointless article.

Re:

[PietjeJantje]

You must have been in jail or on a space mission the past few years. Welcome back to Slashdot! Second Life is widely regarded as no longer relevant nowadays.

Re:

[Issarlk]

Secondlife is not a MMO. That's why you see it as sub standard.

Think of SL as an awesome 3D chatroom with complete creative power given to its user.

Re:

[muridae]

So . . . vrml and blaxxun.

Re:

[elrous0]

Second Life has put a *lot* of of effort and resources into PR over the years (many developers could learn a thing or two from them in this regard). As a result, their place in pop culture and the media is massively exaggerated. Too many developers neglect promotion in the same way that they neglect good documentation, good design/UI, etc. And that's why Second Life is on "The Office" and no one in the mainstream media has even heard of Linux.

Re:

[DrSkwid]

SL also inspired a whole episode of CSI:New York

Re:

[kilanash]

Seriously, the media seems to have a massive hard on for Second Life...

So does the entire populous of Second Life as well, from what I am told.

Re:

[tlhIngan]

Seriously, the media seems to have a massive hard on for Second Life because they think it is the way the Internet ought to go. In reality Second Life is a pretty sub standard MMO with very few players. Why the hell do the fluff stories about it make Slashdot front page news?

Uh... Second Life is mostly dead these days. Everyone's moved to Facebook. Even companies which were racing to setup SL storefronts are abandoning them in droves after it turns out ROI isn't there and it's just costing money. When the r

Re:

[RJFerret]

Who would care about the games you mentioned? (Although you can play games in SL, the majority of the worldwide users are not "players".) I generate hundreds of dollars annually from my activities in SL, I know others who earn their entire salaries there.

I've never even seen the games you listed, and if there were similar problems with them, I bet a fraction of the people would be affected compared to Second Life.

That being said, I don't presume that similar information shouldn't be shared--in an informat

Once again Linux not vulnerable

[seeker_1us]

No quicktime for Linux :p

Re:Once again Linux not vulnerable

[Anonymous Coward]

The safest airplane is the one that never leaves the ground.

Re:

[Securityemo]

No. See, that's because it's not an airplane, it's a Jawa Sandcrawler/nuclear submarine hybrid. People try to use it as a plane, and some well-meaning souls have tried to glue wings to it in an effort to at least keep up appearances, but it really works much better without those.

Re:

[eldepeche]

Obviously you've never seen Die Hard 2.

Re:

[blair1q]

The first exploit that prevents is the installing of Quicktime.

Re:

[Securityemo]

It's not about the exploit, it's about using shellcode injected into the client to do fun and profitable stuff. The exploitation vector is just an example.

small pink cubes are always problematic

[pedantic bore]

I thought we already knew that.

Re:

[kd5zex]

*Huge* tracts of land....

Today's internal Linden Lab discussion...

[Anonymous Coward]

Here's what happened in one of Linden Lab's internal IRC channel today...

[16:42] [Linden001] hey, we made slashdot: http://it.slashdot.org/story/10/08/18/2154207/Owning-Virtual-Worlds-For-Fun-and-Profit [slashdot.org]
[16:45] [Linden002] fascinating.
[17:11] [Linden003] besides, we enforced the patched version of QuickTime to close this exploit.
[17:12] [Linden003] there is no mention of that in the article either.
[17:14] [Linden003] he's writing about ancient history here (2007) -- it must be slow in the internet security guru business.

Re:

[RobertLTux]

of course thanks to the new SL 2.0 feature of Media On A Prim there can be a huge new set of exploits
(unless they lock down the builtin browser (webkit based))

Re:

[makomk]

Of course, the QuickTime exploit was one of the few Second Life exploits that was actually made public. For example, I had a T-Shirt that would open a remotely-accessible command shell on the wearer's PC in older Second Life client versions (that are no longer in use anywhere). Quietly patched in a new release that was made mandatory a few days later.

Re:

[braddeicide]

[17:14] [Linden003] he's writing about ancient history here (2007) -- it must be slow in the internet security guru business.

Windows users can easily be crashed using this still, but I don't know if it can be used to execute code etc.

Re:

[Joe Snipe]

You know had the Author of TFA used an unpatched exploit as an example there would have been all sorts of clamor about not giving Linden Labs time to patch it. The article itself was on the subject of this attack vector, not this specific vulnerability. Let's not turn Slashdot into a bashing competition, shall we?

Another Solution to This Problem??

[NOPerative]

Personally, I think a heck of a lot more vulnerabilities like this could be found and/or located if there were a decent, free (as in beer) disassembler out there. You would think that the industry giants would be more than willing to donate funds to such a project, yet I have yet to see anything such as this out there. Now, some of you might say, "Well, just jump on the IDA Pro bandwagon." My answer: "Easier said than done." The IDA folks _require_ you to be associated with a business when purchasing the program, where they can track your every move, mainly because they are paranoid that the might "accidentally" sell their software to a software cracker. The funny thing about this is that most crackers wouldn't even bother purchasing the program and just bittorrent the thing to begin with for free. Anywho, my solution is this: start an open-source-disassembler project, which will hopefully attract industry donations, and then offer users of the software incentives for locating vulnerabilities, such as cash rewards (based on severity), free commercial software/hardware, etc., and maybe we might just be instrumental in creating more security experts in the not-too-distant future.

Re:

[UnknownSoldier]

> if there were a decent, free (as in beer) disassembler out there.

Define decent? :-) You mean interactive?

Hiew or something here doesn't fit the bill ?
http://www.thefreecountry.com/programming/disassemblers.shtml [thefreecountry.com]

(Granted, hiew isn't open-source, and technically a hex editor, but it is good.)

Why not clone IDA Pro and OllyDbg ?

Re:

[Anonymous Coward]

A clone of IDA Pro (as in interactive disassembly) with a somewhat intuitive interface would be a good start, although I'm not really sure one would ever say any interactive-disassembler could be intuitive :D. As far as HIEW or any other hex editor goes, I'll just say that u can only go "so far" with a hex editor or something like Olly. We'd need something that could auto-disassemble known text and data segments (such as code generated via Visual Studio and known link libraries), leaving us with unknown are

Re:

[phantomfive]

Just out of curiosity, what does IDA Pro do that free dissassemblers don't do, and why would it make any difference at all if software crackers can already get IDA Pro from bittorrent?

Shades of Neil Stephenson's Snow Crash...

[pidge-nz]

[Victim] Oh! Shiny!

*Victim is now a drooling idiot*

Re:

[GameboyRMH]

First Snow Crash reference is waaaay down the page. This is bloody shameful, Slashdot! >:(

I think the exact same attack could work in SL, except you're pwning the client machine instead of the user's brain.

Well I guess you could try to crash the user's brain once you have control of their machine, by running a high-speed horror slideshow of shock images in fullscreen.

Second Life is irrelevant

[gweihir]

A small, insignificant niche game that practically nobody plays. For some reason, the press loves it though.

Very easy to crash windows quicktime with images

[braddeicide]

We get this a lot, there's many images out there that'll make quicktime crash. We have an image board for showing things we're talking about, when we hit a "bad" image all the windows users disappear (crash) at the same time. A responsible Linux or Mac user then removes the image so they can return ;)

Nothing new

[g0bshiTe]

This exploit they are talking about has been in this game and known about for nearly 5 years.